WO2019127890A1 - Procédé de balayage de vulnérabilité, dispositif, appareil informatique, et support de stockage - Google Patents

Procédé de balayage de vulnérabilité, dispositif, appareil informatique, et support de stockage Download PDF

Info

Publication number
WO2019127890A1
WO2019127890A1 PCT/CN2018/077372 CN2018077372W WO2019127890A1 WO 2019127890 A1 WO2019127890 A1 WO 2019127890A1 CN 2018077372 W CN2018077372 W CN 2018077372W WO 2019127890 A1 WO2019127890 A1 WO 2019127890A1
Authority
WO
WIPO (PCT)
Prior art keywords
scanned
traffic data
scanning
data
server
Prior art date
Application number
PCT/CN2018/077372
Other languages
English (en)
Chinese (zh)
Inventor
周圣龙
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2019127890A1 publication Critical patent/WO2019127890A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications

Definitions

  • the present application relates to the field of computer technologies, and in particular, to a vulnerability scanning method, apparatus, computer device, and storage medium.
  • the traditional vulnerability scanning technology refers to detecting the security vulnerability of a specified remote or local computer system based on a vulnerability database by scanning and other means, and discovering one of the exploitable vulnerabilities.
  • a security detection (penetration attack) behavior is a security detection (penetration attack) behavior.
  • the traditional vulnerability scanning technology is that the scanning server actively crawls the data to be scanned in the server through the crawling technology, and then judges whether the crawled data has a vulnerability through all the vulnerability matching rules in the vulnerability database, and the scanning efficiency is relatively high. low.
  • a vulnerability scanning method, apparatus, computer device, and storage medium are provided.
  • a vulnerability scanning method comprising:
  • the vulnerability scanning data is subjected to vulnerability scanning by the vulnerability scanning rule.
  • a vulnerability scanning device comprising:
  • a traffic intercepting module configured to intercept traffic data to be scanned
  • a data judging module configured to determine whether the intercepted traffic data to be scanned is dynamic data
  • a querying module configured to query whether the flow data to be scanned has a parameter when the intercepted traffic data to be scanned is dynamic data
  • a traffic type obtaining module configured to acquire a type of the to-be-scanned traffic data when the traffic data to be scanned has a parameter
  • a rule obtaining module configured to acquire a vulnerability scanning rule corresponding to the type of the traffic data to be scanned
  • a scanning module configured to perform vulnerability scanning on the to-be-scanned traffic data by using the vulnerability scanning rule.
  • a computer device comprising a memory, a processor, and a computer readable instruction stored thereon, the processor executing the computer readable instructions to implement the following steps:
  • the vulnerability scanning data is subjected to vulnerability scanning by the vulnerability scanning rule.
  • One or more computer readable non-volatile storage media storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the steps of:
  • the vulnerability scanning data is subjected to vulnerability scanning by the vulnerability scanning rule.
  • FIG. 1 is an application scenario diagram of a vulnerability scanning method in an embodiment
  • FIG. 2 is a block diagram of a scan server in an embodiment
  • FIG. 3 is a schematic flow chart of a vulnerability scanning method in an embodiment
  • FIG. 4 is a structural block diagram of a vulnerability scanning apparatus in an embodiment
  • Figure 5 is a diagram showing the internal structure of a computer device in one embodiment.
  • the vulnerability scanning method provided by the present application can be applied to an application environment as shown in FIG. 1.
  • the terminal can access resources on the network through a core switch or a router, and the scan server can intercept the traffic data of the terminal through the core switch or the router, or the scan server can intercept the traffic data of the terminal by setting a proxy server, thereby scanning
  • the server can passively scan the traffic data when intercepting the traffic data to determine whether the traffic data is vulnerability data, thereby implementing vulnerability detection.
  • the terminal can be, but is not limited to, various personal computers, notebook computers, smart phones, tablets, and portable wearable devices.
  • the scanning server can be implemented by a separate server or a server cluster composed of multiple servers.
  • FIG. 2 is an architectural diagram of a scan server in an embodiment, including a system foundation, a transfer engine, and a web application service.
  • the scheduling engine is mainly for a passive scan service
  • the web application service is mainly for querying a record server, and a UI.
  • the interface is ready for display.
  • the scheduling engine may adopt a distributed multi-threaded deployment, where a machine learning model, a scan engine, and a system upgrade program are set.
  • the machine learning model may be a decision tree model
  • the scan engine mainly stores vulnerability scanning rules and system upgrades.
  • the program is mainly for the upgrade of the system.
  • the web application service mainly includes a report model, a log module, and a configuration module.
  • the web application service is mainly for querying the record service, that is, after each vulnerability scan is completed, a log storage to the log module can be generated, and a corresponding report is generated according to the scan result, for example, A vulnerability report or a vulnerability report is displayed on the corresponding UI interface.
  • a vulnerability scanning method is provided, which is applied to the scanning server in FIG. 1 as an example, and includes the following steps:
  • S302 Intercept the traffic data to be scanned.
  • the traffic data refers to data generated when the terminal accesses resources on the network, and includes a message for accessing the request.
  • the terminal used by the user can access the resources on the Internet.
  • the traffic data can be intercepted in the backbone node or the link node, and the intercepted traffic is stored in the scan server, thereby determining according to the traffic data. Is there a vulnerability?
  • S304 Determine whether the intercepted traffic data to be scanned is dynamic data.
  • dynamic data is only data that can be seen and interacted, and has a good experience. Users are no longer passive to browse. For example, message boards, forums, user registrations, etc. are dynamic and can be used by users. Interact with the website, while static data is for viewing only.
  • the traffic that does not need vulnerability detection in the intercepted traffic data that is intercepted may be deleted by a machine learning manner, for example, by a decision tree algorithm, and when the traffic data to be scanned is intercepted, the machine learning model is input. First, it is determined whether the traffic data to be scanned is dynamic data.
  • the machine learning model may be pre-configured, for example, by generating a training set and a test set by historically-scanned data to generate a model of the machine learning, wherein the training set is used to train to form an initial model, and the test set is used to perform an initial model. Corrected to ensure the correctness of the model.
  • the second step machine learning may determine whether the traffic data has parameters, and only the traffic to be scanned with the parameter will perform the vulnerability scanning.
  • the traffic to be scanned without parameters does not need to acquire the resources of the server on the network, and therefore does not perform vulnerability scanning.
  • the two-step machine learning can be integrated into a machine learning model, that is, when the flow data to be scanned is input into the integrated model, static data and parameterless data to be scanned can be proposed.
  • the traffic data to be scanned is dynamic data, and the parameter exists, the traffic data to be scanned needs to be scanned for vulnerability. Therefore, the type of the traffic data to be scanned is obtained first, so that different types can be obtained according to different types. Vulnerability scanning rules, which in turn reduce the execution of vulnerability scanning rules.
  • S310 Obtain a vulnerability scanning rule corresponding to the type of the traffic data to be scanned.
  • the type of the traffic data to be scanned may include web traffic or network traffic, etc., according to the type, the corresponding vulnerability detection rule may be obtained, thereby reducing the execution rate of the vulnerability detection rule.
  • the traffic data to be scanned is web traffic
  • the vulnerability detection rule for the web traffic is directly obtained, and the entire vulnerability detection rule is not needed to improve the execution efficiency of the vulnerability detection rule.
  • the vulnerability scanning rule refers to a rule pre-stored in the scanning server.
  • the vulnerability scanning rule By comparing the traffic data to be scanned with the vulnerability scanning rule, whether the traffic data to be scanned is the result of the vulnerability data can be obtained, thereby implementing the scanning of the vulnerability. For example, when the traffic data to be scanned complies with the vulnerability scanning rule, it indicates that the traffic data to be scanned is vulnerability data, so subsequent interception or the like is needed to prevent normal access. When the traffic data to be scanned does not meet the vulnerability scanning rule, it indicates that The traffic data to be scanned is not vulnerability data, and it can be accessed normally without subsequent interception and the like.
  • the above vulnerability scanning method first intercepts the traffic data to be scanned, that is, when the client has data access, the traffic data is intercepted, so that the coverage of the traffic data to be scanned becomes larger; secondly, before the vulnerability scanning, the unnecessary The scanned traffic data to be scanned is eliminated, the scanning volume of the traffic data to be scanned is reduced, and the vulnerability scanning efficiency is improved. Finally, the corresponding vulnerability scanning rule is obtained according to the type of the traffic data to be scanned, without requiring all the databases in the database. Vulnerability scanning rules are executed once, which can greatly reduce the number of executions of vulnerability scanning rules, thereby improving the efficiency of vulnerability scanning.
  • the step of intercepting the traffic data to be scanned may further include: acquiring the current resource occupancy rate; if the current resource occupancy rate exceeds the threshold, acquiring the resource occupancy rate of the standby scanning server; The standby scanning server with the lowest resource usage of the standby scanning server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  • the scan server exists in the form of a cluster, and a main scan server is set.
  • the main scan server intercepts the traffic data to be scanned, first determines the resource occupancy rate of the main scan server, when the main scan server If the current resource usage rate exceeds the threshold, the current scan server has a higher current resource usage rate. Therefore, the resource usage rate of the standby scan server is continuously obtained, and the standby scan server with the lowest resource occupancy rate is obtained to perform the vulnerability scan. That is, it is judged whether the intercepted traffic data to be scanned is dynamic data or the like. When the resource usage of the standby scanning server is obtained, the resource usage of the standby scanning server may be sorted, which is more convenient to select.
  • the threshold of the current resource occupancy rate may be determined according to experience, or determined according to the test peak value during the system stress test, for example, determining different thresholds according to the amount of the intercepted traffic data to be scanned.
  • the resource occupancy rate may refer to the occupancy rate of the CPU of the scan server.
  • the resource occupancy rate of the primary scanning server is first determined.
  • the vulnerability scanning is performed by the primary scanning server, when the primary scanning server
  • the standby scan server is started, and the standby scan server performs vulnerability scanning to ensure consistent and normal operation of the system.
  • the step of obtaining the current resource occupancy rate may further include: determining whether the current scan server is faulty; if the current scan server does not fail, continuing to perform the step of acquiring the current resource occupancy rate; if the current scan server If the fault occurs, the resource usage of the standby scan server is obtained.
  • the standby scan server with the lowest resource usage of the standby scan server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  • the step of acquiring the current resource occupancy rate first determining whether the current scan server is faulty. If no fault occurs, the current resource occupancy rate may be further determined, and whether the current scan server is used to determine whether the current scan server is used by the current scan server. Perform vulnerability detection. If the current scan server is faulty, the standby scan server with the lowest resource usage of the standby scan server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data, without first determining the current resource occupancy rate, which may be reduced.
  • the step of performing the process wherein the resource usage rate is lower than the default value of the resource usage rate and the lowest resource usage rate; for example, three standby scan servers: standby scan server A, standby scan server B, and standby scan Server C, wherein the resource occupancy rate of the standby scan server A is a, the resource occupancy rate of the standby scan server B is b, the resource occupancy rate of the standby scan server C is c, and a is greater than the preset value of the resource occupancy rate m, b, and c. If the value of the to-be-scanned traffic is less than c, the backup scan server corresponding to the resource occupancy b needs to continue to perform the step of determining whether the intercepted traffic data is dynamic data, and in this embodiment.
  • the resource occupancy preset value is not specifically limited, and it may be set according to experience.
  • the scan server uses a distributed architecture, multi-threaded queue form for plug-in scanning or rule matching. For example, you can set up one main scanning server and multiple standby scanning servers.
  • the scan server When receiving the intercepted traffic, first determine whether the primary scanning server is faulty. If the primary scanning server is faulty, scan it through the standby scanning server. If the scan server is faulty, for example, it can be judged one by one according to the order of the standby scan server. When the current standby scan server fails, the next set is judged in order until there is a standby scan server without failure. If the primary scan server does not fail, the current resource usage rate of the primary scan server is obtained. When the resource usage exceeds the threshold, the scan server scans the current scan server. For example, the current resource usage of the standby scan server can be obtained first. Sort and select a standby scan server with low resource occupancy for scanning.
  • the current scan server is faulty. If a fault occurs, the standby scan server is directly selected for vulnerability scanning. If no fault occurs, the current scan server resources are first determined. Rate: When the current scan server's resource usage does not exceed the threshold, the current scan server scans the vulnerability. When the current scan server's resource usage exceeds the threshold, other scan servers are started, and other scan servers scan for vulnerabilities. , can ensure the system is consistent and normal operation.
  • the step of intercepting the traffic data to be scanned further includes: counting the number of interception of the traffic data to be scanned; starting a corresponding number of scan servers according to the number of intercepts; and distributing the traffic data to be scanned to The step of starting the scan server to continue to determine whether the intercepted traffic data to be scanned is dynamic data.
  • the number of times the intercepted traffic is scanned refers to the number of times the scan server receives the vulnerability scan request, that is, after the core switch or the router or the proxy server intercepts the traffic to be scanned, the core switch or the router or the proxy server scans.
  • the server sends a vulnerability scan request, which carries traffic data to be scanned.
  • the scan server control system starts a corresponding number of scan servers according to the number of intercepts, and distributes the to-be-scanned traffic data to the scan server that is started, so that the plurality of scan servers scan the scan traffic data together.
  • the number of times the intercepted traffic data is intercepted is obtained, that is, the number of requests for scanning the traffic data to be scanned is acquired, and the corresponding scanning server is started according to the number of the requests, and then received according to the load balancing policy.
  • the request is assigned to the corresponding scan server. For example, when there are 3000 requests to be processed, the number of scanning servers that are turned on is three. According to the load balancing policy, the 3000 requests are sequentially allocated to the three scanning servers, and the three scanning servers will simultaneously request the same. Processing improves scanning efficiency.
  • Each scanning server can use multi-thread scanning when scanning, that is, each scanning server receives 50 requests, and starts 50 threads, and each thread scans the to-be-scanned traffic data in 20 requests, so that The efficiency can be further improved.
  • the processing peak of each scanning server may be preset, and the processing level is preset for each scanning server, and the processing level is selected according to the number of received requests, for example, when the received request is the first quantity, the processing level is Level 1, when the received request is the second quantity, the processing level is two, the processing request amount of the scanning server is A at the first level, and the processing request amount of the scanning server at the second level is B; according to the received The number of requests is selected as the processing level.
  • the number of scanning servers that need to be started is determined according to the number N of received requests and the processing request amount of the primary scanning server. /A; Then, according to the quantity A, the number of threads that each scanning server needs to be started is determined, thereby implementing parallel processing of requests and improving processing efficiency.
  • the corresponding scanning server is started according to the number of the requests, and then the received request is allocated according to the load balancing policy.
  • the scanning server improves processing efficiency.
  • the method further includes: receiving a vulnerability scanning rule adjustment instruction for the traffic data to be scanned; and adjusting the instruction to obtain the vulnerability scanning supplementary rule according to the vulnerability scanning rule adjustment instruction Vulnerability scanning of scanned traffic data through vulnerability scanning supplemental rules.
  • the scanning result of the to-be-scanned traffic data may be problematic, in order to avoid the problem.
  • the scan result of the traffic data to be scanned can be displayed on the UI interface, and the vulnerability scan rule adjustment instruction for the traffic data to be scanned can be received through the UI interface.
  • the scan server may first pass the web. After the traffic vulnerability scanning rule scans, the scan result is output, but the tester may think that the scan is not perfect enough, and then the network traffic scan rule may be invoked to scan the web traffic again, that is, according to the vulnerability scan rule adjustment instruction to obtain the vulnerability scan supplement. Rules; vulnerability scanning is performed by vulnerability scanning supplemental rules to scan scanned traffic data to improve the accuracy of vulnerability scanning rules.
  • the vulnerability scanning rule adjustment instruction may be further received, and the vulnerability scanning rule adjustment instruction is used to obtain another type of vulnerability scanning rule to further scan the traffic. That is, the system is configured through the web application service. In this embodiment, not only the dynamic scanning of the traffic is supported, but also the manual intervention is supported, so that the key traffic can be scanned in an all-round manner, and the accuracy of the vulnerability scanning is improved.
  • the step of intercepting the traffic data to be scanned may include intercepting the traffic data to be scanned by an agent set in advance at the client.
  • the step of intercepting the traffic data to be scanned may include: receiving the mirrored traffic data generated by the core switch according to the intercepted traffic data to be scanned as the traffic data to be scanned.
  • the traffic interception may be performed in the trunk or the primary link node, so that the proxy may be set in the client in advance, and when the client installed by the terminal has the traffic data sent, the agent intercepted by the client is preset. Traffic data to be scanned. Or, when the core switch or the router receives the traffic data sent by the client, the core switch or the router mirrors the traffic data, and sends the mirroring of the traffic data to the server to be scanned to implement interception of the traffic data to be scanned.
  • the scan server by performing traffic interception in the trunk or the primary link node, and sending the intercepted traffic data to be scanned to the scan server, the scan server performs passive scanning of the scanned traffic data, instead of the traditional Crawl traffic data to ensure the integrity of the traffic data to be scanned.
  • steps in the flowchart of FIG. 3 are sequentially displayed as indicated by the arrows, these steps are not necessarily performed in the order indicated by the arrows. Except as explicitly stated herein, the execution of these steps is not strictly limited, and the steps may be performed in other sequences. Moreover, at least some of the steps in FIG. 3 may include a plurality of sub-steps or stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution of these sub-steps or stages The order is also not necessarily sequential, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of the other steps.
  • a vulnerability scanning apparatus including: a traffic interception module, a data determination module, a query module, a traffic type acquisition module, a rule acquisition module, and a scanning module, where:
  • the traffic intercepting module 100 is configured to intercept traffic data to be scanned.
  • the data judging module 200 is configured to determine whether the intercepted traffic data to be scanned is dynamic data.
  • the query module 300 is configured to query whether the flow data to be scanned has a parameter when the intercepted traffic data to be scanned is dynamic data.
  • the traffic type obtaining module 400 is configured to acquire the type of the traffic data to be scanned when there is a parameter of the traffic data to be scanned.
  • the rule obtaining module 500 is configured to acquire a vulnerability scanning rule corresponding to the type of the traffic data to be scanned.
  • the scanning module 600 is configured to perform vulnerability scanning on the scanned traffic data by using a vulnerability scanning rule.
  • the apparatus may further include:
  • the resource occupancy obtaining module is configured to obtain the current resource occupancy rate after the traffic data to be scanned is intercepted. If the current resource usage rate exceeds the threshold, the resource usage rate of the standby scanning server is obtained.
  • the scanning module is further configured to select whether the standby scanning server with the lowest resource occupancy rate of the standby scanning server continues to determine whether the intercepted traffic data to be scanned is a dynamic number.
  • the apparatus may further include:
  • the fault judging module is configured to determine whether the current scan server is faulty before acquiring the current resource occupancy rate.
  • the resource occupancy acquisition module is further configured to: if the current scan server fails, obtain the current resource occupancy rate; if the current scan server fails, obtain the resource occupancy rate of the standby scan server.
  • the scanning module is further configured to select the standby scanning server with the lowest resource occupancy rate of the standby scanning server to continue to determine whether the intercepted traffic data to be scanned is dynamic data.
  • the apparatus may further include:
  • the statistics module is configured to count the number of interception of the traffic data to be scanned before intercepting the traffic data to be scanned.
  • the startup module is configured to start a corresponding number of scan servers according to the number of interceptions.
  • the data judging module is further configured to allocate the to-be-scanned traffic data to the activated scan server to continue to determine whether the intercepted traffic data to be scanned is dynamic data.
  • the apparatus may further include:
  • the receiving module is configured to receive a vulnerability scanning rule adjustment instruction for the traffic data to be scanned after the vulnerability scanning rule scans the traffic data through the vulnerability scanning rule.
  • a supplemental rule acquisition module is configured to obtain a vulnerability scan supplemental rule according to the vulnerability scan rule adjustment instruction.
  • a supplemental scanning module for vulnerability scanning of scanned traffic data through vulnerability scanning supplemental rules for vulnerability scanning of scanned traffic data through vulnerability scanning supplemental rules.
  • the intercepting module may be further configured to intercept the traffic data to be scanned by an agent preset in the client.
  • the intercepting module is further configured to receive the mirrored traffic data generated by the core switch according to the intercepted traffic data to be scanned as the traffic data to be scanned.
  • Each of the above-described vulnerability scanning devices may be implemented in whole or in part by software, hardware, and combinations thereof.
  • Each of the above modules may be embedded in or independent of the processor in the computer device, or may be stored in a memory in the computer device in a software form, so that the processor invokes the operations corresponding to the above modules.
  • a computer device which may be a server, and its internal structure diagram may be as shown in FIG.
  • the computer device includes a processor, memory, network interface, and database connected by a system bus.
  • the processor of the computer device is used to provide computing and control capabilities.
  • the memory of the computer device includes a non-volatile storage medium, an internal memory.
  • the non-volatile storage medium stores an operating system, computer readable instructions, and a database.
  • the internal memory provides an environment for operation of an operating system and computer readable instructions in a non-volatile storage medium.
  • the database of the computer device is used to store vulnerability scan rule data.
  • the network interface of the computer device is used to communicate with an external terminal via a network connection.
  • the computer readable instructions are executed by the processor to implement a vulnerability scanning method.
  • FIG. 5 is only a block diagram of a part of the structure related to the solution of the present application, and does not constitute a limitation of the computer device to which the solution of the present application is applied.
  • the specific computer device may It includes more or fewer components than those shown in the figures, or some components are combined, or have different component arrangements.
  • a computer device including a memory, a processor, and a computer readable instruction stored thereon, the processor executing the computer readable instructions to: intercept the traffic data to be scanned; and determine the intercepted Whether the traffic data to be scanned is dynamic data; when the intercepted traffic data to be scanned is dynamic data, query whether the traffic data to be scanned has a parameter; when the traffic data to be scanned has a parameter, obtain the type of the traffic data to be scanned; Vulnerability scanning rules corresponding to the type of traffic data to be scanned; vulnerability scanning is performed on the scanned traffic data through the vulnerability scanning rule.
  • the processor may further include: acquiring the current resource occupancy rate; and acquiring the standby scan server if the current resource occupancy rate exceeds the threshold value.
  • the resource usage rate of the standby scanning server with the lowest resource usage of the standby scanning server continues to be performed to determine whether the intercepted traffic data to be scanned is dynamic data.
  • the method may further include: determining whether the current scan server is faulty; if the current scan server does not fail, proceeding to perform the acquisition.
  • the current resource usage rate is as follows: if the current scan server is faulty, the resource usage rate of the standby scan server is obtained; and the standby scan server with the lowest resource occupancy rate of the standby scan server continues to determine whether the intercepted traffic data to be scanned is dynamic. The steps of the data.
  • the processor may further include: intercepting the interception times of the traffic data to be scanned; and starting a corresponding number of scan servers according to the number of intercepts;
  • the traffic data to be scanned is allocated to the activated scan server to continue the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  • the method may further include: receiving a vulnerability scanning rule adjustment instruction for the traffic data to be scanned;
  • the vulnerability scan rule adjustment instruction acquires a vulnerability scan supplemental rule; the vulnerability scan supplemental rule scans the scanned traffic data for vulnerability.
  • the step of intercepting the to-be-scanned traffic data implemented by the processor when executing the computer readable instructions in one of the embodiments may include: intercepting the to-be-scanned traffic data by an agent preset in the client.
  • the step of intercepting the to-be-scanned traffic data implemented by the processor when executing the computer readable instructions in one embodiment may include: receiving the mirrored traffic data generated by the core switch according to the intercepted traffic data to be scanned as the traffic data to be scanned. .
  • a computer readable storage medium having stored thereon computer readable instructions that, when executed by a processor, perform the steps of: intercepting traffic data to be scanned; determining the intercepted to be scanned Whether the traffic data is dynamic data; when the intercepted traffic data to be scanned is dynamic data, query whether the traffic data to be scanned has a parameter; when the traffic data to be scanned has a parameter, obtain the type of the traffic data to be scanned; Scan the vulnerability scan rule corresponding to the type of traffic data; perform vulnerability scanning on the scanned traffic data through the vulnerability scan rule.
  • Non-volatile memory can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.
  • Volatile memory can include random access memory (RAM) or external cache memory.
  • RAM is available in a variety of formats, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronization chain.
  • SRAM static RAM
  • DRAM dynamic RAM
  • SDRAM synchronous DRAM
  • DDRSDRAM double data rate SDRAM
  • ESDRAM enhanced SDRAM
  • Synchlink DRAM SLDRAM
  • Memory Bus Radbus
  • RDRAM Direct RAM
  • DRAM Direct Memory Bus Dynamic RAM
  • RDRAM Memory Bus Dynamic RAM

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Computer And Data Communications (AREA)

Abstract

La présente invention concerne un procédé de balayage de vulnérabilité, un système, un appareil informatique et un support de stockage. Le procédé consiste à: intercepter des données de trafic à balayer; déterminer si les données de trafic interceptées à balayer sont des données dynamiques; si tel est le cas, effectuer une recherche pour déterminer s'il existe un paramètre pour les données de trafic à balayer; si oui, acquérir le type des données de trafic à balayer; acquérir une règle de balayage de vulnérabilité correspondant au type des données de trafic à balayer; et effectuer un balayage de vulnérabilité sur les données de trafic à balayer au moyen de la règle de balayage de vulnérabilité.
PCT/CN2018/077372 2017-12-30 2018-02-27 Procédé de balayage de vulnérabilité, dispositif, appareil informatique, et support de stockage WO2019127890A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711492203.7A CN108206830B (zh) 2017-12-30 2017-12-30 漏洞扫描方法、装置、计算机设备和存储介质
CN201711492203.7 2017-12-30

Publications (1)

Publication Number Publication Date
WO2019127890A1 true WO2019127890A1 (fr) 2019-07-04

Family

ID=62606158

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/077372 WO2019127890A1 (fr) 2017-12-30 2018-02-27 Procédé de balayage de vulnérabilité, dispositif, appareil informatique, et support de stockage

Country Status (2)

Country Link
CN (1) CN108206830B (fr)
WO (1) WO2019127890A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11930031B2 (en) 2020-06-23 2024-03-12 Tenable, Inc. Distributed network based vulnerability scanning via endpoint agent deployment

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110059007B (zh) * 2019-04-03 2020-12-22 奇安信科技集团股份有限公司 系统漏洞扫描方法、装置、计算机设备及存储介质
CN110377518B (zh) * 2019-07-17 2023-07-25 招商银行股份有限公司 全流程扫描方法、装置、设备及可读存储介质
CN111078517B (zh) * 2019-12-09 2023-09-01 广州品唯软件有限公司 一种页面监控方法、装置、计算机设备及存储介质
CN112464238B (zh) * 2020-12-15 2023-10-31 中国联合网络通信集团有限公司 漏洞扫描方法及电子设备
CN112468516A (zh) * 2020-12-17 2021-03-09 全球能源互联网研究院有限公司 一种安全防御方法、装置、电子设备及存储介质
CN112738068B (zh) * 2020-12-25 2023-03-07 北京天融信网络安全技术有限公司 一种网络脆弱性扫描方法及装置
CN115622744B (zh) * 2022-09-21 2024-04-09 天津大学 一种加密流量下的web漏洞扫描攻击检测系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130055398A1 (en) * 2011-08-26 2013-02-28 Rapid7, LLC. Systems and methods for performing vulnerability scans on virtual machines
CN103685228A (zh) * 2013-10-12 2014-03-26 北京奇虎科技有限公司 一种网站漏洞快速扫描方法及设备
CN104144148A (zh) * 2013-05-10 2014-11-12 中国电信股份有限公司 漏洞扫描方法和服务器、以及风险评估系统
CN106656657A (zh) * 2016-11-11 2017-05-10 北京匡恩网络科技有限责任公司 基于工控协议的自适应漏洞挖掘框架

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7278161B2 (en) * 2001-10-01 2007-10-02 International Business Machines Corporation Protecting a data processing system from attack by a vandal who uses a vulnerability scanner
CN103685258B (zh) * 2013-12-06 2018-09-04 北京奇安信科技有限公司 一种快速扫描网站漏洞的方法和装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130055398A1 (en) * 2011-08-26 2013-02-28 Rapid7, LLC. Systems and methods for performing vulnerability scans on virtual machines
CN104144148A (zh) * 2013-05-10 2014-11-12 中国电信股份有限公司 漏洞扫描方法和服务器、以及风险评估系统
CN103685228A (zh) * 2013-10-12 2014-03-26 北京奇虎科技有限公司 一种网站漏洞快速扫描方法及设备
CN106656657A (zh) * 2016-11-11 2017-05-10 北京匡恩网络科技有限责任公司 基于工控协议的自适应漏洞挖掘框架

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11930031B2 (en) 2020-06-23 2024-03-12 Tenable, Inc. Distributed network based vulnerability scanning via endpoint agent deployment

Also Published As

Publication number Publication date
CN108206830A (zh) 2018-06-26
CN108206830B (zh) 2019-09-24

Similar Documents

Publication Publication Date Title
WO2019127890A1 (fr) Procédé de balayage de vulnérabilité, dispositif, appareil informatique, et support de stockage
WO2021109669A1 (fr) Procédé et dispositif de détection d'accès malveillant à un nom de domaine, et support de stockage lisible par ordinateur
US11985251B2 (en) Data synchronization method and apparatus, computer device, and readable storage medium
CN108319719B (zh) 数据库数据校验方法、装置、计算机设备和存储介质
US20180004852A1 (en) Method and system for facilitating terminal identifiers
WO2021013033A1 (fr) Procédé, appareil, dispositif et système d'opération de fichier, et support de stockage lisible par ordinateur
CN110602169B (zh) 服务调用方法、装置、计算机设备和存储介质
CN110197075B (zh) 资源访问方法、装置、计算设备以及存储介质
CN112015674A (zh) 基于多层级的缓存资源访问方法、装置和计算机设备
WO2022057231A1 (fr) Procédé et appareil d'accès à un serveur, dispositif, et support de stockage
CN110555041A (zh) 数据处理方法、装置、计算机设备和存储介质
WO2021031905A1 (fr) Procédé, appareil, dispositif et système de gestion de données, et support de stockage lisible par ordinateur
KR102242219B1 (ko) 서버가 공격받는 것을 막기 위한 방법 및 디바이스
CN111367693B (zh) 基于消息队列调度插件任务的方法、系统、设备及介质
CN112118238A (zh) 认证登录的方法、装置、系统、设备及存储介质
CN109302433B (zh) 远程命令执行漏洞的检测方法、装置、设备及存储介质
US20180039771A1 (en) Method of and server for authorizing execution of an application on an electronic device
CN113315750B (zh) 一种Kafka消息发布方法、装置及存储介质
CN115189897A (zh) 零信任网络的访问处理方法、装置、电子设备及存储介质
CN112215593A (zh) 一种支付方法、装置、服务器及存储介质
CN114866247B (zh) 一种通信方法、装置、系统、终端及服务器
WO2023077748A1 (fr) Procédé et appareil de gestion de comptes, dispositif informatique et support de stockage
CN115828256A (zh) 一种越权与未授权逻辑漏洞检测方法
CN114448665A (zh) 一种web应用防火墙规则检测方法、装置及电子设备
CN112711574A (zh) 数据库安全性检测方法、装置、电子设备及介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18897707

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 06.10.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18897707

Country of ref document: EP

Kind code of ref document: A1